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Comprehensive Guidelines for Supervision of Major Banks, etc 


(Provisional Translation of “VI Supervision of Foreign Bank Branches” and the related parts) 
VI Supervision of Foreign Bank Branches 
VI-1 The Purpose 


A foreign bank that has a branch office, a sub-branch or other business office (hereinafter 
collectively called “branch office”) in Japan is directly subordinate to the head office located in a foreign 
country where the Banking Act and other relevant Japanese laws and regulations are not applicable. 
Depending on the business management methods of the head office, and on the types or contents of 
operation, as well as on the business division to which the branch office belongs, the supervisory or 
management relationship between business divisions within a branch office, or between several branch 
offices, if there are more than one, may not function properly. 

Therefore, when supervising branch offices of a foreign bank about the soundness and 
appropriateness of the business operations, it is important that the supervisors take supervisory actions 
such as: making efforts to identify the actual state of the management of business operations at the 
branch office and the risks involved therein, in light of the management characteristics of the foreign 
bank and the individuality and diversity of the branch office’s business operations; engaging in 
communication and consultation with the foreign bank’s head office and the supervisory authority of the 
bank’s home country; or requiring the submission of reports based on the Banking Act and other laws 


and regulations as necessary. 


(Note) The supervisory viewpoints written below are those which the supervisors should especially pay 
attention to, in light of the characteristics of the foreign bank branches. In supervising them, the 
supervisors will also refer to other parts of this guideline when needed, in light of the operations of the 


branch office. 
VI-2 Major Supervisory Viewpoints 


(1) Appropriate Oversight of Business Management and Operations of the Branch Office by the Head 
Office and the Management Team of the Branch Office 


(i) Whether the significance of placing the branch office in Japan and the positioning of the branch 
office within the group are clarified, when the head office or the regional head office (hereinafter 


collectively called “head office, etc.”) establishes management policies or plans of the entire group. 
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Whether the business strategies or plans of the branch office are consistent with the policies or plans 
of the entire group and are also sustainable. 

(ii) Whether the management team of the branch office and employees dispatched from the head office, 
who are adept in the management and business operations of the branch office, are appointed and 
appropriately allocated. (Whether the management team, managers in charge of business operation 
and management with sufficient qualifications and experience to manage the business operations of 
the branch office in Japan are appointed and whether appropriate and reasonable personnel rotation 
is periodically implemented.) 

(iii) Whether the head office, etc. has delegated adequate and appropriate authorities to the 
management team of the branch office and managers in charge of business operation and 
management, and clarified division of the responsibilities between the branch office and the head 
office, etc., in order to ensure proper management of the branch office. In addition, whether the 
authority and the responsibility is adequately and appropriately distributed within the branch office 
so that the management team can properly conduct business management. (Whether legitimate and 
effective rules concerning the organization and authorities have been formulated, and whether the 
rules are ensured to be well known.) 

(iv) Whether the head office, etc. has developed and maintained a system to supervise, manage and 
monitor the branch office in a manner suited to the actual state of the branch office’s business 
operations and risks. (Whether it is ensured that the head office’s divisions in charge of business 
management and supervision of international business operations have an appropriate and adequate 
system to supervise, manage and monitor the foreign branch office.) 

Conceming the foreign banks that have several branch offices in Japan, whether the 
representative person in Japan recognizes the strategies and plans such as the profit target of the 
entire branches in Japan, and whether the person manages the branch offices in a comprehensive 
way, such as requiring necessary reports from each office, in order to establish an internal control 
system which is consistent with such strategies and plans. 

(v) Whether a system has been developed to enable quick and appropriate communications and 
reporting to the head office, etc. and relevant supervisory authorities when an operational or 
managerial problem or misconduct occurs in the branch office. 

(vi) Whether the internal control system of the branch office is sufficient, in light of the positioning of 
the branch office within the entire group, the business strategies and plans, and also taking into 
account the actual business operations and risk profile. 

(vii) Whether the head office, etc. properly recognizes the status of risks of the branch office, and 
takes necessary measures, having identified not only the business operations and financial condition, 
but also the risk profile of the branch. 

(viii) Whether the management team of the branch office checks whether there are any inadequacies in 
light of (i) through (vii) above, and takes necessary measures in proper consultation with the head 


office, etc. 


(2) Development of Control Environment for Legal Compliance 


(i) Whether the branch office’s control environment for legal compliance (including the development 
of effective rules concerning the organization and management and the establishment of the 
personnel structure and operational systems) has been established and maintained to ensure full 
compliance with the Banking Act of Japan and other domestic and foreign laws and regulations 
related to business operations. 

(ii) Whether a system is developed to check, on an ongoing basis, how well versed officers and 
employees of the branch office are in the Banking Act and relevant laws, regulations and rules, and 
to conduct education and training appropriately as necessary. 

(iii) Whether a system has been established and maintained to enable quick and appropriate reports 
and reactions when a violation of laws and regulations occurs or inappropriate business operation is 
detected. (Whether independent functions of internal checks and monitoring on the activities of the 
branch office’s manager in charge of business operations, or on the activities of the sales division, 
etc. have been developed.) 

(iv) Also, in cases where the officers and employees at the branch office are not well versed in 
Japanese laws, regulations and rules for any reason, whether the head office, etc. and the branch 
office strive to establish a system and make ongoing efforts to deal with the situation appropriately 


and to thoroughly ensure necessary guidance and monitoring. 


(3) Development of Risk Management System 


(i) Whether systems to manage various risks, such as credit risks, market risks, liquidity risks, 
operational risks, and system risks, are developed, which are suited to the actual status of the 
business operations of the branch office. Whether the head office adequately and sufficiently 
supervises and monitors the risk management. 

(ii) Whether an in-branch control system (including effective rules concerning the organization and 
management and the establishment of the personnel structure and operational systems) has been 
adequately and sufficiently developed, to detect the occurrence of risks related to the business 
operation at early stages and to properly deal with and rectify them. 

(iii) Whether a system has been established and maintained to enable quick and appropriate reports 
and reactions when a problem related to risk management comes to light. (Whether independent 
functions of internal checks and monitoring on the activities of the branch office’s manager in 
charge of business operations, or on the activities of the sales division, etc. have been developed.) 

(iv) When the group has transactions that involve several offices, such as when the office conducting 
credit examination or making contracts and the office where the transactions are booked are 
different regarding credit transaction or market transactions, whether the function and the role of the 
head office, etc. and the branch office in the entire bank is clarified. Whether the function and the 


role is reasonable and appropriate in conducting risk management of the entire group. 


3 


(4) Implementation of Inspections and Audits of Business Operations and Follow-Up 


(i) Whether the effectiveness of inspections (including self-inspections) and internal audits of the 
business operations of the branch office is ensured. Particularly, whether the internal audit division 
at the head office and the branch office is able to properly conduct internal audits, taking into 
account the contents and risk profile of the branch’s business operations. Whether the management 
of the head office, etc. and the branch office takes appropriate measures in light of the outcome of 
the internal audit. 

(ii) Whether employees and managers well versed in the Banking Act and other laws and regulations 
related to business operations are allocated to the divisions in charge of inspections (including self 
inspections) and internal audits. 

(iii) Whether audits of business operation suited to the actual state and risks of the branch office’s 
business operations are implemented. Whether outside experts are utilized according to the risk 
level and necessity. 

(iv) Whether the implementation of improvement and follow-up activities is ensured, with regard to 
matters pointed out in the inspections and audits of the branch office. (Whether the division of 
responsibilities at the bank has been clarified to ensure the implementation and completion of 


improvement and follow-up activities.) 


(5) Establishment of Appropriate Information Management System 


(i) Whether the system of the branch office for the information management by the branch office and 
the head office has been appropriately and sufficiently developed (including the development of 
effective rules concerning information management, the full awareness of the rules by executives 
and employees, and the establishment of the personnel structure and institutional systems). 

(ii) Whether a system has been developed to ensure that the branch office and the head office can 
quickly and appropriately take measures, and provide explanations to customers, relevant parties, 
supervisory authorities, etc. when a problem related to information management concerning the 
business operations of the branch office or an accident, such as a leak of customer information, 
occurs. 

(iii) Whether the causes of problems related to information management and accidents, such as a leak 
of customer information, are investigated and analyzed, and proper and appropriate improvement 
plans are established and their implementation is ensured. 

(iv) Regarding customer information management in particular, whether a management system suited 
to the business operations of the branch office are developed in reference to III-3-3-3 “Management 


of Customer Information.” 


(6) Enhancement of Complaint Processing Function 


(i) Whether cases such as complaints that arise from the business operations of the branch office are 
accumulated and analyzed, and whether efforts are made to improve the control environment for 
customer explanations, in particular at the time of the contract signing. 

(ii) Whether a system to swiftly and properly deal with violence used to intervene in civil legal issues, 
such as blocking any relations with anti-social forces, has been developed. In particular, whether a 
system of central control over legal affairs has been developed and is functioning, to properly report 
“Suspicious Transactions,” based on the Anti-Criminal Proceeds Act, including remittances, fund 


settlements and credit-related transactions. 


(7) Outsourcing of Administrative Operations of Branch Office 


(i) In cases where a branch office entrusts some or all of the administrative operations necessary for 
the execution of business operations to an external entity, whether a management system has been 
appropriately developed or not, considering the actual status of entrustment and its risks, in 
reference to III-3-3-4 “Outsourcing.” 

(i1) In particular, it should be kept in mind that “outsourcing” should be understood as entrusting part 
or the whole of administrative operations necessary for the execution of the branch office’s business 
operations to an external entity but not as entrusting the branch’s business management or the 
function of operational management (including important personnel management policies) to an 


external entity. 


(8) Entrustment of Business Operations to Business Operation Service Provider 


In cases where a branch office of a foreign bank entrusts its business operations to an entity 
specified under Article 32(2) of the Cabinet Office Ordinance Concerning Financial Instruments 
Businesses, etc. (hereinafter referred to as “the business operation service provider” in this section), 
the following points shall be noted from the viewpoint of ensuring the sound and appropriate 


management of the banking business. 


(i) Whether the entrusted business operations are limited in terms of scope and content to the 
administrative operations that are related to the banking business but do not concern the 
fundamentals of the business. Whether the reasonableness of the entrusted business operations and 
the appropriateness of the entrusted party are sufficiently deliberated on and examined in relation to 
the information management-related risk involved in the entrustment and operating risk as well as 
the business execution capability and management system of the business operation service provider, 
in light of the fact that the entrusted business operations are closely related to the execution of the 


banking business even if the entrusted business operations do not concern the fundamentals of the 
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business. 

(ii) It should be kept in mind that the ultimate responsibility for the management of the entrusted 
business operations and the responsibility from the standpoint of regulation shall rest with the 
foreign bank branch office even if the responsibility stems from the execution of business 
operations by the business operation service provider. Therefore, whether a manager in charge of 
the entrusted business operations has been appointed and whether a system to manage the business 


operation service provider has been developed and the division of responsibilities has been clarified. 


(9) Development of an Internal Control System to which a System of Concurrent Holding of Position is 


adopted 


Regarding the examination, improvement and enhancement of the internal control system of a 
foreign bank branch office that adopts the system of concurrent holding position within a financial 
group that has established a securities subsidiary and a branch office engaging in securities-related 
businesses and the like in Japan, V-3-3-5 “Relationship between Banks and Securities Subsidiary, etc.” 


should be referred to. 


(10) Compensation structure 


Regarding the planning and application of the branch office’s compensation structure, the home 
supervisors bear primary responsibility for proper supervision on a group basis in order to ensure that 
the incentive of the executives and the employees to take risks is not excessive. 

On the other hand, in order to cooperate with the home supervisors properly, the supervisors 
will also monitor the branch office’s planning and application of the compensation structure. In 
particular, when there is a possibility that the compensation structure will lead to excessive risk-taking, 
the supervisors will closely examine the risk management issues, and take necessary measures such as 


raising an issue with the home supervisors. 


(11) Maintaining an Orderly Credit System, including the Protection of Depositors (examination criteria 


for a deposit-taking foreign bank branch to obtain banking license and its supervisory viewpoints) 


(1) Regarding the asset management of a foreign bank branch, in the case where its investment strategy 
is excessively concentrated on transferring funds to its group’s overseas offices, several issues may 
occur. Those issues include: the foreign bank branch may find difficulty in assessing its own 
portfolio, and Japanese supervisory authorities may find difficulty in examining whether its assets 
are invested appropriately. 

(ii) Thus, in the case of a foreign bank branch, especially regarding funds raised through collecting 
local deposits, the foreign bank branch should develop an internal control system in order to operate 


banking business properly and fairly, taking into account the need for secure transactions for 
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depositors. For example, the foreign bank branch should adequately understand how the funds are 
invested, and should not excessively depend on transferring the funds to its group’s other offices. 
(iii) Considering the abovementioned matters, regarding the examination of the banking license of a 
foreign bank branch, it is necessary to judge whether its investment strategy is excessively 
concentrated on transferring its funds its group’s other offices or not. In particular, for example, the 
business plan after the establishment of the bank branch would be assessed, based on the viewpoint 


of whether the large part of deposits collected domestically are invested in overseas offices or not. 


(Note) When a foreign bank branch takes retail deposits, considering the current situation that the 
Deposit Insurance system is not applied to the foreign bank branches, and considering the nature of 
retail deposits which directly relates to the funding for individuals’ lives, such retail deposits should 
be invested into safer assets in general. 

(iv) In addition, even after the foreign bank branch has been established, how much funds are 
transferred within the group (especially through the interoffice accounts), how much assets are held 
domestically, the nature of deposits collected by the foreign bank branch and the way they are 
collected and monitored, as well as whether the large part of domestically collected deposits are 
constantly invested overseas via interoffice accounts, and whether its investment strategy is 
excessively concentrated on transferring its fund to its group’s overseas offices, are examined. 

(v) Furthermore, when a foreign bank branch takes deposits, in addition to the items mentioned in the 
Banking Ordinance Article 30-2 (i) and (ii), the internal control system to provide its customers 
with an appropriate explanation depending on the customer’s level of knowledge and experience is 
examined. The explanation may include: 

a. whether the deposit products are covered by the deposit insurance system of the foreign bank’s 
home country or not, and if so, the details of the system. 

b. the fact that the solvency of the foreign bank branch is ultimately sourced from the foreign bank 
on a consolidated basis, and that the financial stability of the foreign bank on the consolidated 


basis is under the supervision of its foreign regulators. 


VI-3 Supervisory method and Actions 


(1) The supervisors shall conduct hearings, as necessary, on a periodic and ongoing basis, with the 
branch office on the points written in VI-2, taking into account the characteristics of business 
operations of the office. Also, seizing the opportunities to talk directly with the head office, etc., 
supervisors shall strive to share perceptions of the issues affecting the entire group and the branch. 
Furthermore, the supervisors shall conduct an interview, as necessary, on the outcome of the internal 
audits which the internal audit division of the head office, etc. or the branch office conducted for the 
branch office. 

The supervisors shall cooperate and exchange information, as necessary, with the supervisory 


authorities of the foreign bank’s home country and other relevant foreign supervisory authorities, 
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actively utilizing frameworks of cooperation with home supervisors, in light of the fact that the need to 
strengthen cooperation with foreign supervisory authorities has grown and the convergence of 
regulations and standards is accelerating in line with the internationalization of banks’ business 
operations and increasing financial conglomeratization. 

Regarding the issues that were brought by the approaches written above, which involve the group as 
a whole, the supervisors shall conduct hearings with the branch office in detail on the effects that the 
issues cause on the management and business operation of the branch office, and on the measures that 


have been taken to cope with the effect. 


(2) In cases where the business operations or the internal control system of a foreign bank branch office 
deemed to have a problem in light of the results of regular offsite monitoring mentioned in (1) or 
inspection results or the contents of a report on misconduct and other problematic conduct, the 
supervisors shall require the branch office to submit a report under Article 24(1) of the Act as 
necessary and also require the head office of the foreign bank to submit a report under Article 48 of 
the Act. Ifa serious problem is recognized, the supervisors shall take an administrative action, such as 


issuing an order for business improvement under Article 26 of the Act. 


(3) In addition, the supervisors shall seek to engage in direct communication and share the recognition of 
problems with the foreign bank’s head office in the home country through the “System for Exchanges 
of Opinions” described in II-5-3 and, as necessary, hold consultations with the home supervisors and 


other authorities. 


(Note) In cases where a foreign bank branch belongs to a financial conglomerate operating 
internationally, the Guideline for Financial Conglomerates Supervision should be referred to as 


necessary. 


- Related parts (Sections referred in “ VI Supervision of Foreign Bank Branches”) 


II-5-3 System for Exchange of Opinions 


(1) The Purpose 


In cases where the FSA takes an adverse disposition, it will be effective for the FSA and banks to 
exchange opinions at multiple levels upon the request of the banks, in addition to providing banks with 
the opportunity for hearings or explanation based on the Administrative Procedure Act. Such dialogue 


will share the recognition of the facts and the seriousness that are the reason for the adverse disposition. 


(2) Supervisory Method and Actions 


Through the hearing process concerning the submission of report based on Article 24 of the 
Banking Act, the bank may recognize the possibility of an adverse disposition to be imposed on itself. In 
such case, if the bank requests an opportunity for exchanging opinions (Note 1) between senior FSA 
officials (Note 2) and the bank executives, and if the FSA intends to take an adverse disposition 
accompanied by providing banks with an opportunity for hearing or explanation, prior to the notice of 
such processes, the FSA will provide an opportunity for exchanging opinions, in order to share the 
recognition of the facts and the seriousness that are the reason for the adverse disposition. 

However, the FSA will not provide an opportunity for exchanging opinions prior to the notice when 


it is necessary to take the adverse disposition urgently. 


(Note 1) Requests from banks for an opportunity for exchanging opinions shall be met only if they are 
made between the receipt of reports submitted based on Article 24 of the Banking Act and the notice 
of opportunities for hearings or explanations. 


(Note 2)“Senior FSA officials” includes the directors of the relevant divisions of the FSA. 


Il]]-3-3-3 Management of Customer Information 


III-3-3-3-1 The Purpose 


As customer information constitutes the basis of financial transactions, it is extremely important to 
ensure the appropriate management of such information, and banks are required to take measures to 
ensure the appropriate management of customer information they have acquired in relation to its 
business. (Article 12-2(2) of the Banking Act.) 

In particular, information regarding individual customers’ needs to be handled in an appropriate 
manner in accordance with the Enforcement Ordinance of the Banking Act, the Act on the Protection of 
Personal Information, the Guidelines for Personal Information Protection in the Financial 
Field(hereinafter referred to as the “Personal Information Protection Guideline”) and the guideline for 
practical affairs regarding safety control measures specified in the guideline on the protection of personal 
information in the financial sector (hereinafter referred to as the “Practical Guideline”). 

Personal Information including credit card information, such as card number, and expiration date 
should be strictly managed, considering the high possibility of the occurrence of secondary troubles, 
such as shopping by impersonation and inappropriate use of information. 

Moreover, as banks can obtain corporate information (Article 1(4)(14), Cabinet Office Ordinance 
on Financial Instruments Business, etc.), they should strictly manage the information, and they should 
prevent unfair transactions such as insider trading. 

It is important for banks to establish a system in order to appropriately manage both individual 
customer information and corporate information (hereinafter collectively called “Customer 


Information”). 


MI-3-3-3-2 Major Supervisory Viewpoints 


(1) Management of Customer Information 


(i)Whether the management recognizes the necessity to ensure the appropriateness of Customer 
Information management and the importance thereof, and attempts to develop the internal control 
system, such as establishing a system to ensure the appropriateness, including the implementation of 
the check-and-balance system between divisions, and establishing internal rules. 

(ii) Whether the bank has formulated a specific standard for the handling of customer information and 
ensured that all executives and employees are aware of and comply with the standard, via training 
courses and other necessary measures. In particular, whether the bank has formulated a standard for 
the provision of such information to third parties based on careful consideration conducted from the 
viewpoint of compliance (obligation of confidentiality and duty of accountability to customers) and 
reputation. 


(iii) Whether the bank has a system to examine the appropriateness of customer information 
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management, which includes thorough access management (such as the prevention of the use by a 
person without the access authorization), measures to prevent the carrying out of customer 
information by insiders, a robust information management system that prevents illegal access from 
the outside, and measures to prevent leak of customer information when consolidation of offices is 
conducted. 

Whether appropriate measures to prevent illegal acts using customer information, such as 
distributing authorization concentrated on a specific employee, or strengthening checks and 
surveillance on the officer that has large authorization are taken. 

(iv) Whether the bank has developed systems to appropriately report leak of customer information to 
the division in charge of customer information management. 

Whether the bank has developed systems to promptly and appropriately explain the leak to the 
customer, report it to the authority, and publish it when necessary, from the viewpoint of preventing 
secondary damage. 

Whether the bank analyzes the cause of the leak and takes measures to prevent recurrence. 
Moreover, whether the bank considers necessary measures to prevent a leak similar to leaks that 
occurred atother banks. 

(v) Whether the Internal Audit Division independent from other section conducts audits constantly or 
as required, over a wide range of business operations regarding customer information management. 

Whether the bank appropriately takes measures such as providing training, in order to enhance the 


specialty of employees in charge of inspections regarding customer information management. 


(2) Management of Personal Information 


(i) Regarding the safety control and supervision of employees, concerning information of individual 
customers, whether the bank has implemented the following necessary and appropriate measures in 
accordance with Article 13-6-5 of the Enforcement Ordinance, in order to prevent such information 
from being leaked, lost or damaged. 

A.Measures based on Articles 10 and 11 of the Personal Information Protection Guideline 
B. Measures based on Sections I and II and Attachment 2 of the Practical Guideline 

(ii) Whether the bank has implemented measures to ensure, in accordance with Article 13-6-7 of the 
Enforcement Ordinance, that information regarding race, religious belief, family lineage, birthplace, 
health, medical records, and criminal records of individual customers, as well as other specified 
private information (Note), is not used except for the cases specified in Article 6 (1) of the Personal 
Information Protection Guideline. 

(Note) “Other specified private information” includes: 
(a) Information regarding labor union membership 
(b) Information regarding ethnicity 


(c) Information regarding sexual orientation 
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(iii) Regarding credit card information, whether the following measures are taken. 

(a)Whether the bank sets an appropriate preservation period with due consideration for the purpose 
of use and other circumstances, limits preservation space, and promptly disposes the information 
after the period. 

(b)When the credit card information is shown on the computer screen, whether the bank takes 
appropriate measures such as hiding some numbers, except when the information is needed for 
business operation. 

(c)Whether the independent division in charge of internal audits conducts audits constantly or as 


required, over the sufficiency of the rule and the system to save credit card information. 


(3) Prevention of unfair transaction, such as insider trading by using company information. 


(i) Whether the bank has developed an appropriate internal control system, such as making a rule 
concerning transactions by executives and employees, such as securities buying and selling, and 
revising the rule when necessary. 

(ii) In order to prevent unfair transaction, such as insider trading, by executives and employees, 
whether the bank takes measures to enhance the consciousness of Legal Compliance, such as 
strengthening professional ethics, and informing relevant laws and rules thoroughly. 

(iii) Whether the bank takes appropriate measures in order to prevent unfair transactions, such as 
obligating reports when executives and employees able to obtain company information make 


transactions of securities relevant to the company. 


Il]-3-3-3-3 Supervisory Method and Actions 


In cases where it is deemed in light of the results of an inspection or the contents of a notification on 
misconduct and other problematic conduct that a bank’s system for managing customer information has a 
problem, the FSA shall require the submission of a report under Article 24 of the Act as necessary. If a 
serious problem is recognized, the FSA shall take action, such as ordering business improvement under 
Article 26 of the Act. 

With regard to information of individual customers, under the Act on the Protection of Personal 
Information, the FSA shall require submission of reports, give advice about the management of customer 
information, and issue recommendations or orders for rectifying violations of the Act, as necessary, in 


addition to taking actions based on the Banking Act. 
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MI-3-3-4 Outsourcing 


III-3-3-4-1 The Purpose 


When banks entrust business operation to third-party entities (hereinafter referred to as 
“outsourcing’’), they can enhance management efficiency. Moreover, by entrusting business operations to 
entities with superior expertise, banks can expect better response to diverse needs of customers, and 
prompt actions based on quick technological innovation. However, when banks outsource business 
operations, they are required to protect customers, and to ensure the soundness and appropriateness of 
the operation, such as properly managing the various risks involved in the outsourcing. Therefore, banks 
are required to implement measures to ensure an appropriate execution of outsourced business operations 
under relevant laws and regulations (Article 12-2(2) of the Act and Article 13-6-8 of the Enforcement 
Ordinance). 

The points described below are general viewpoints which should be taken into consideration when 
banks outsource business operations. Depending on the contents of the outsourced business operation, 


additional verification may be necessary. 


(Note 1) “Outsourcing” includes entrustment of administrative operations necessary for operating 
business. Cases where a business operation is deemed to be virtually outsourced without the signing of 
an outsourcing contract, and cases where the outsourced business operation is conducted abroad, are 
also included. 

(Note 2) In cases where part of processes necessary for business operations particular to banks is 
outsourced (excluding cases where Bank Agency Service is provided under the permission specified 
under Article 52-36(1) of the Act), the FSA shall take care to verify that the outsourced business 
operation does not fall under Bank Agency Service, in addition to verification based on the following 
viewpoints. 

(Note 3) Outsourcing business activities incidental to Banking only, for example, does not constitute the 
Bank Agency Service, which requires a permission based on the Banking Act. However, in cases 
where such outsourcing is done, the FSA staff shall strive to grasp the status periodically based on the 
following viewpoints through hearings with the outsourcing bank. 

(Note 4) In cases where outsourcing is done between the bank and its subsidiary, the FSA shall also refer 
to V-3-3, etc. 


MI-3-3-4-2 Major Supervisory Viewpoints 
(1) Whether the bank has developed the systems considering following points, including the requirement 


of developing the systems in outsourcing contractors under outsourcing contracts, in order to protect 


customers. 
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(i) Whether it is made clear that the outsourcing of business operations does not cause any change in 
the contractual relationship of rights and obligations between the bank and its customers, and that 
the customers still have the same rights as they would have if the bank itself conducted the 
operation. 

(ii) Whether the bank has developed a system to ensure the prevention of inconvenience that may be 
caused to customers if they cannot receive the services guaranteed under their contracts related to 
outsourced business operations. 

(iii) Whether the bank appropriately manages customer information, including the prohibition of 
utilization other than for intended purposes and has imposed the obligation to preserve secrecy on 
the outsourcing contractors. 

(iv) In cases where the bank outsources the management of information regarding individual 
customers, whether the bank has taken the following measures, necessary and appropriate to prevent 
such information from being leaked, lost or damaged, concerning the supervision of the outsourcing 
contractor, based on the Banking Ordinance Article 13-6-5. 

A.Measures based on Article 12 of the Personal Information Protection Guideline 
B. Measures based on Section III of the Practical Guideline 

(v) Whether the bank has clarified the division responsible for management of the outsourcing 
contractor, and whether the bank examines the appropriateness of the customer information 
management, for example, by monitoring the operation constantly or necessarily. 

(vi) Whether the bank verifies the development of the system to promptly report to the bank when a 
leakage accident occurs at the outsourcing contractor. 

(vii) Whether the bank restricts the access rights of the outsourcing contractor for customer 
information to a necessary range, according to the outsourced business operation. 

Next, whether the bank verifies which executives and employees of the outsourcing contractor 
has access rights and confirm that the rights are limited. 

Moreover, whether the bank verifies the thorough access management by the outsourcing 
contractor in order to prevent the use of the access rights by a person without the rights. In detail, 
the bank verifies that the outsourcing contractor has checked the utilization constantly or as required, 
including matching the person with the rights and the person who actually used the rights. 

(viii) When the outsourced business operation is re-entrusted, whether the bank verifies the sufficient 
management over the re-entrusted entity by the outsourcing service contractor. Whether the bank 
directly manages the re-entrusted entity when necessary. 

(ix) Whether the bank has developed an appropriate system to handle inquiries and complaints, such 


as establishing a system to directly report complaints from customers to the bank. 
(2) Whether the bank has conducted comprehensive verification over the following points, to ensure the 


soundness of management and whether the bank has developed necessary systems, including requiring 


outsourcing contractors to develop necessary systems under outsourcing contracts. 


14 


(i)Risk Management 
Whether the bank conducts comprehensive verification of various risks related to outsourcing, 
such as the impact that may be inflicted on the banking business if it fails to receive services as 
specified under the outsourcing contract, and whether the bank considers what actions to take when 
such risks materialize. 
(ii) Selection of Outsourcing Contractors 
Whether the bank selects outsourcing contractors by examining the capability of providing service 
in a sufficient level from the viewpoint of the rationality of the bank’s management, the sufficiency 
of their financial and management conditions to provide services as specified under contracts and to 
bear responsibility for the payment of damages, and whether it doesn’t have problems from the 
viewpoint of the reputation of the bank. 
(iii) Contents of Contract 

Whether the outsourcing contract includes sufficient contents, such as specifying the following 

items: 

A.The contents and level of the service to be provided and the procedures for the cancellation 

B.The responsibility of the outsourcing contractor when the service is not provided as specified 
under the contract. The responsibility of the payment of damages that may arise with regard to 
the outsourcing, including the provision of collateral when necessary. 

C.The contents of reports that the bank would receive from the outsourcing contractor with regard 
to the outsourced business operation and the contractor’s management condition concerning the 
outsourced business operation. 

D.Arrangements concerning how to meet requests from the financial authority in relation to 
inspection and supervision. 

(iv) Legal Obligations, etc. Imposed on the Bank 
Whether the outsourcing does not impede the fulfillment of the legal obligations, etc. that would 
be imposed on the bank if the bank were to conduct the outsourced business operation on its own. 
(v) Bank’s Management System 
Whether the bank has developed internal control systems such as positioning a manager in charge 
of outsourced business operation, monitoring and verifying which includes incorporating the 
content in the contract that the bank can check the outsourcing business contractor regarding the 
appropriateness of the outsourced business operation. 
(vi) Provision of Information 

Whether the bank receives reports about the implementation of the outsourced business operation 

constantly. 

In addition, whether there is a system to ensure the prompt reception of appropriate information 

when necessary. 
(vii) Audits 
Whether the outsourced business operation is subject to audits. 


(viii)Emergency Actions 
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Whether the bank considers measures to avoid major disruptions to the banking business when the 
outsourced business operation is not provided as specified under the outsourcing contract. Whether 
the bank has developed a system to provide the service to customers in place of the outsourcing 
contractor. 

(ix) Outsourcing to Group Company 

In cases where the bank has signed an outsourcing contract with a group company, whether the 

contents of the contract do not virtually constitute the provision of support to the outsourcing 


service contractor, thus violating the Arm’s Length Rule. 


HI-3-3-4-3 Supervisory Method and Actions 


(1) When there is a Problem with the Bank’s Management System 


In cases where a bank’s internal control system is deemed to have a problem in light of the results 
of inspection or the contents of a notification on misconduct and other problematic conduct, the FSA 
shall require the submission of a report under Article 24 of the Banking Act when necessary. If a 
serious problem is recognized, the FSA shall take an action such as ordering business improvement 
under Article 26 of the Banking Act. 


(2) When there is a Problem with the Outsourcing Contractor’s Business Operation System 


(i) Actions against the bank 


In cases where the outsourcing contractor’s system to conduct business operations is deemed to 
have a problem in light of the results of an inspection or where an outsourcing contractor is deemed 
to be managing business operations in an inappropriate manner in light of the contents of a 
notification on misconduct and other problematic conduct, the FSA shall first strive to identify 
factual evidence, including the state of the bank’s management system, through the bank. In such 
cases, the FSA shall also require the bank to submit a report under Article 24 of the Banking Act. If 
a serious problem is recognized, the FSA shall take action, such as ordering business improvement 
under Article 26 of the Banking Act. However, the FSA may also take actions specified in (ii) below 


at the same time with due consideration of the urgency or materiality of the case. 


(ii) Actions against the Outsourcing Contractor 


In cases where it is expected to be difficult to sufficiently grasp the actual state through the 
actions specified in (i), the FSA shall strive to identify factual evidence through measures such as a 
directly interviewing the outsourcing contractor. The FSA shall require the outsourcing contractor to 


submit a report on necessary matters, such as factual evidence, analysis of the cause of the problem 
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and improvement/corrective measures under Article 24(2) of the Banking Act in cases where it is 
deemed that it is particularly necessary to do so, such as where many financial institutions outsource 
business operations to the same outsourcing contractor or when the entire settlement system could 


be affected. 


(Note) When interviewing the outsourcing contractor, the FSA shall require the attendance of a 


representative of the bank when necessary. 
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V-3-3-5 Relationship between Banks and Securities Subsidiaries, etc. 


(1) The Financial Instruments and Exchange Act hereinafter referred to as “FIEA”) contains a regulation 
about the firewall between a bank and its securities subsidiary. Article 17-5(2)( v ) of the Banking Act 
Enforcement Ordinance specifies that FSA will check the implementation of measures to ensure the 
sound and appropriate management of the business operations of a Bank, etc. Eligible to be a 
subsidiary Company, as criteria for review for the authorization of making a Bank, etc. Eligible for 
Subsidiary Company the bank’s subsidiary. Regarding the meaning of these regulations, the FSA 
would pay attention on the following point. 

* Whether the bank, etc. is not involved in acts prohibited under Article 44-3 of the FIEA in relation to 
affiliated financial instruments business operators. “Affiliated financial instruments business 
operators” refers to financial business operators of which the bank, etc. is the parent bank, etc. as 
specified under Article 31-4(3) of the FIEA, or of which the bank, etc. is a subsidiary as specified 
under Article 31-4(4). 


(2) When a bank, etc. conducts acts in relation to affiliated financial instrament business operators 
specified under Article 153-(1)(vii) of the Cabinet Office Ordinance of Financial Instruments 
Businesses, etc. concerning the management of legal compliance, management of risks of loss, 
internal audits and inspections, financial affairs, accounting affairs and tax affairs (referred to as 
“internal control operations” in this section), the bank, which is a registered financial institution, and 
the affiliated financial instruments business operator should specify the information management 
system in the business operation manual, such as the appropriate implementation of measures to 
prevent leak of non-disclosure information from divisions engaging in internal control operations. 

The integration of internal control operation not only enables enhancement and efficiency 
improvement of the execution of the operation, but may also generate risks that may impede sound 
and appropriate management. The risks, for example, are that the range and the location of 
responsibilities for the integrated internal control operation between the bank and the affiliated 
financial instruments business operator, will be unclear, and that the substantial internal control 
function of the bank, etc. will not work, when the person in charge of internal control at the bank, etc. 
neglects the execution of the management and supervision of internal control and does not execute 
them by itself. Due to these reasons, and from the viewpoint of supervision of banks, the FSA staff 


shall pay special attention to the following points. 


(i) Regarding the integrated internal control operations, whether the office regulations and 
organization regulations specify the distribution of authority and responsibility between the bank, 
etc. and the affiliated financial instruments business operator, and whether they specify the range of 
authority and responsibility of the director, etc. in charge of the internal control operations and the 
range of the officers engaged in the business operation at the bank, etc. including officers 


concurrently engaged in the business operation of the affiliated financial instruments business 
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operator, to prevent the bank, etc. from neglecting the execution of the substantial management and 
supervision of internal control and does not execute them by itself. In the case of foreign bank 
branch, the director in charge of the internal control operations means the branch manager, deputy 
branch manager, the head of the management division or other officers, suited to take responsibility, 
hereinafter referred to as “director, etc. in charge”. 

(ii) Regarding the organization and personnel structure to enable a bank, etc. to fulfill the 
responsibility for managing internal control operations, whether management systems as described 
below have been developed: 

A. Whether the director, etc. in charge accurately recognizes the status of business operations and 
has the responsibility and authority to ensure appropriate execution of the business operations. 
And whether the director, etc. in charge has the responsibility and authority to make appropriate 
reports and explanations to the board of directors, etc. including a superior in the line of duty at 
the head office and the officer in charge of the internal control operations in the case of a foreign 
bank branch; hereinafter referred to as the “board of directors, etc.” and to supervisory 
authorities. 

B. When there is a possibility that the check-and balance function by the director, etc. in charge 
over the sales division will fail to work, whether measures to ensure the effectiveness of the 
check-and-balance function have been taken. For example, when the manager of a foreign bank 
branch is concurrently engaged in an executive post at a particular sales division or is virtually 
engaged in the operations of the division, whether an officer in charge of supervising the 
administrative operations other than the branch manager has been appointed independently from 
the sales division, and whether there is a system for the officer to directly report to the board of 
directors, etc. in addition to reporting to the branch manager. 

C. When the bank, etc., has opted to establish a consultation body between an affiliated financial 
instruments business operator for the purpose of ensuring the effectiveness of the 
check-and-balance function, the FSA shall pay special attention to the following points : 
Whether the duties of the director, etc. in charge regarding the decision-making process of the 
consultation body and the involvement of the bank, etc. therein have not lost substance and 
whether the effectiveness of the check-and-balance function has not been undermined, through 
the use of the consultation body for the purpose of promoting sales activity. For example, to 
prevent this, whether the purpose of the consultation body and the procedures regarding the 
body, including the method for decision-making and the compilation of minutes of meetings and 
the authorities and responsibilities of each member have been clarified. 

(iii) When necessary for the purpose of supervision, the FSA shall require the bank, etc. to submit 
reports and materials regarding the following points under Article 24(1) or Article 52-31(1) of the 
Banking Act. When necessary, the FSA shall also require the financial instruments business operator 
which is a subsidiary of the bank, etc. to submit reports (excluding the affiliated financial institution 
related to a foreign bank branch; however, it should be noted that regarding the financial 


instruments business operator that has special relationship with a foreign bank pertaining to the 
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foreign bank branch, specified in Article 14 of the Enforcement Ordinance, the FSA can require the 
foreign bank branch may to submit reports under Article 48 of the Banking Act). 
A. Policy and procedures regarding the implementation of internal control operations 
B. The division of the authorities and administrative work of the officer engaged in internal control 
operations, such as the director, etc. in charge 
C. The status of development of various other rules. 
D.The state of the personnel and organizations engaged in the implementation of internal control 
operations. 


(Note) “Bank, etc.” refers to ordinary banks, foreign bank branches and bank holding companies. 
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